THE UNIVERSITY OF SCIENCE, VNU-HCM

FACULTY OF ELECTRONICS AND TELECOMMUNICATIONS

DEPARTMENT OF TELECOMMUNICATIONS AND NETWORKS

COURSE
NETWORK TECHNOLOGY

Chapter 1 Windows Domain

ACTIVE DIRECTORY
01
September 16, 2022

Nguyen Viet Ha, Ph.D. Email: [email protected] 2

Workgroup Workgroup

❖A peer-to-peer group of computers that share resources. ❖As small as two computers, or it can scale up to be quite large.

➢Small pool of systems ideally 15 or less. 200 systems.

➢Decentralized in every way.
o May have a central server using to consume various services. ❖Self-authentication and self-authorization
for access to resources.

o Or share data from individual workstations.

Overload Weak
3/72
/50 4/72
/50
 Workgroup Workgroup

❖Authentication ❖Authorization
➢When connecting to a shared resource on a computer, you are first ➢Checks the permissions of the authenticated user and controls
prompted to supply a valid username and password on that access to functions based on the roles that are assigned to the user.
computer that has permissions to access the resource.

5/72
/50 6/72
/50

Workgroup Workgroup

❖The authentication process for the user log-in ❖SAM objects include the following:
is at the local computer.
➢SAM_ALIAS: A local group

➢SAM_GROUP: A group that is not a local group

❖Windows stores user accounts and security descriptors in a database
file called Security Account Manager (SAM). ➢SAM_USER: A user account

➢It authenticates local user logons. ➢SAM_DOMAIN: A domain

➢The SAM database resides in the Windows registry.
➢SAM_SERVER: A computer account
(C:\WINDOWS\system32\config)
➢Available on Windows XP, Vista, 7, 8.1, 10, and 11.
7/72
/50 8/72
/50
 Workgroup Workgroup

❖Advantages: ❖Disadvantages:
➢Very simple to manage. ➢Low security.
o Passwords may not be changed very often.
➢Simply configure a resource for sharing and define who ▪ If they are changed, a user may update his password on a few
you want to share that resource with because systems but not on all of them, and then end up out of sync.
everything is set locally.

➢Less scalability.
➢Inexpensive option because you don’t need multiple
servers to support a workgroup.

9/72
/50 10/72
/50

Domain Domain

❖A logical grouping of computers that authenticate ❖Once authenticated, the user receives a token that follows them
to a central database of users stored on special around the network and automatically proves their identity to other
servers called domain controllers. domain-joined servers and clients.

➢Allow to access resources that specifically grant them access.

➢When users log into a computer that is joined
to a domain, their usernames and passwords
❖Only need to authenticate once to a domain controller to prove their
are authenticated on the nearest domain
identity to all domain members, this feature is called single sign-on.
controller.

❖
11/72
/50 12/72
/50
 Domain Domain

❖The software components that provide for this functionality are ❖Advantage ❖Disadvantage
collectively called Active Directory. ➢Centralization ➢Complex
➢Contains many other services and components to centrally manage
➢Manageability ➢High level of administration
and secure the computers that are joined to the domain.
➢Scalability ➢High-performance devices (server, router,
o Group Policy can also be used to configure operating system
➢Tight Security switch)
settings, security, and software for different computers and users
➢Single-Sign-On ➢Expensive
in the domain.
o Active directory Certificate Services can be used to
automate the configuration of deployment of encryption
certificates to domain computers and users.
13/72
/50 14/72
/50

Active Directory

❖A directory service that stores user/computer accounts, applications,

printers, shared folders, group policies, and all kinds of records.
➢The main Active Directory service is Active Directory Domain
Services (AD DS).

2 Active Directory o Provide centralized authentication and support single sign-on to

computers on the network that are joined to an Active Directory
domain.

15 16/72
/50
 Domain Domain

❖AD DS consists NTDS.DIT (New Technology Directory Service. ❖Logically separated into the following partitions:
Directory Information Tree) file (%SystemRoot%\NTDS\Ntds.dit) ➢Schema Partition: contains the definition of objects and rules for
their manipulation and creation in an active directory.
➢Configuration Partition: contains the forest-wide active directory
➢is a database that stores all Active Directory data, including
topology including DCs and sites and service.
information about user objects, groups and group membership as
➢Domain Partition: contain information about users, groups,
well as password hashes for domain users.
computers and OUs.
➢Application Partition: stores information about applications in an
AD. Suppose AD integrated DNS zones information is stored in this
partition.
17/72
/50 18/72
/50

Active Directory

❖Each domain controller (DC) has ❖After the domain controller validates your user name and password, it
a centralized copy of the Active issues your computer an encrypted token that lists:
Directory database. ➢Domain user account.
➢Domain group accounts of which you are a member.

➢Tokens can only be decrypted by computers that participate in the

same Active Directory domain.
➢Destroyed when you log out of your system.

19 20/72
/50
 Active Directory Active Directory

❖When you access a shared resource on another computer in domain, ❖AD DS is composed of both logical and physical components
your token is automatically sent with the request to the target computer
to verify your identity.

➢You are then granted or denied access to the resource according to

the permissions assigned to your domain user and group accounts
listed within the resource’s ACL (Access Control List).

21/72
/50 22/72
/50

Active Directory Objects

❖An object is the most basic component

in the logical structure of AD defined
within the Active Directory database.

3 Active Directory Structure

❖The Active Directory schema stores a
list of all available object types (called
classes, e.g., user) and their associated
properties (called attributes).
23 24/72
/50
 Active Directory Objects Active Directory Objects

❖Leaf objects: represent a user account, group account, computer ❖Domain (or Active Directory domain): used to group and manage
account, network resources published to the Active Directory database objects.
e.g., (shared printers). ➢Creates a management boundary.
➢Given a unique DNS domain name, such as domain1.com.
❖Container objects: used to group leaf objects for ease of
➢Each domain object often represents a separate business unit within
administration and the application of Group Policy. There are three main
your organization and can contain OUs as well as leaf objects.
container:
➢Domains
➢Organizational units (OUs)
➢Sites
25/72
/50 26/72
/50

Active Directory Objects Active Directory Objects

❖Organizational Unit (OU): contains leaf objects or other OUs (called ❖Site: represent physical locations within your organization.
child OUs). ➢Each physical location contains a LAN that communicates with other
physical locations over an WAN/Internet connection.

❖The OU structure you create ➢By representing each physical location with a site object, you can

for each domain should create settings that control the replication of Active Directory

reflect the structure information across the Internet.

within that particular

business unit.

27/72
/50 28/72
/50
 Active Directory Forests and Trees Active Directory Forests and Trees

❖Domains are often used to represent a single business unit within an ❖Forest: a collection of Active Directory domains that share a schema
organization. => suitable for smaller organizations. and some security principals.
➢The vast majority of organizations in the world have a single forest
domain.
❖Larger organizations often have multiple business units, and each
business unit may need to access resources within other business units. ➢Multiple domain forests are generally used by larger geographically
dispersed organizations.

❖Active Directory forests are used to provide for multiple domains within
the same organization.

29/72
/50 30/72
/50

Active Directory Forests and Trees Active Directory Forests and Trees

❖When install the first domain controller within the first domain in an ❖Trees: a collection of one or more domains that share a common
namespace.
organization, a forest is created with the same name as this first ➢Ex: domain2.com, hcm.domain2.com, and hn.domain2.com
domain. domains share the same core domain name, we refer to them as the
domain2.com tree.
❖The first domain in a forest is called the forest root domain.
❖The domain2.com domain is called the parent domain within the tree,
and the hcm.domain2.com and hn.domain2.com domains are called
domain1.com domain2.com child domains.
(forest root domain)

❖The domain1.com domain is also a tree but without child domains.

hcm.domain2.com hn.domain2.com

❖The first domain in a tree is called the tree root domain.

domain1.com FOREST
31/72
/50 32/72
/50
 Forest Tree
Root Root
HCM.com HN.com
Domain Domain
Tree
Root
Domain
Q1.HCM.com Q5.HCM.com BD.HN.com HK.HN.com

4
Child
Domain
Active Directory Trusts

P1.Q1.HCM.com P2.Q5.HCM.com P1.BD.HN.com P2.HK.HN.com

TREE DOMAIN TREE DOMAIN

FOREST DOMAIN 33 34

Active Directory Trusts Active Directory Trusts

❖Small organizations often may have ❖Trust Flow:
only one domain, but larger ➢Transitive trust: Domain 1 trusts Domain 2, and Domain 2 trusts
organizations will end up with Domain 3 => Domain 1 will also trust Domain 3.
multiple domains.
➢Nontransitive trust: Domain 1 trusts Domain 2, and Domain 2
trusts Domain 3; however, Domain 1 does not trust Domain 3.

➢One-way trust: establishes trust in one direction only. Domain 1

trusts Domain 2, but Domain 2 does not trust Domain 1.

❖To simplify administration and the user experience, you can set up
trusts between domains so that an authenticated user in one domain ➢Two-way trust: bidirectional trust relationship. If Domain 1 trusts
can access resources in another domain without having to authenticate Domain 2, then Domain 2 also trusts Domain 1
with a separate set of credentials.
35/72
/50 36/72
/50
 Active Directory Trusts Active Directory Trusts
❖AD DS Trust Types: ❖AD DS Trust Types:
➢Parent-Child Trust: trust relationship automatically created and ➢Tree-Root Trust: trust relationship automatically created and
establishes a relationship between a parent domain and a child establishes a relationship between the forest root domain and a new
domain. tree.
➢They’re transitive and they can be created as two-way trusts. ➢They can be transitive and created as two-way trusts.

Tree Root trust

domain1.com domain1.com
domain2.com
Parent-Child Parent-Child Parent-Child Parent-Child
trust trust trust trust Parent-Child
trust

a.domain1.com b.domain1.com a.domain1.com b.domain1.com

c.domain2.com

37 domain1.com FOREST 38

Active Directory Trusts Active Directory Trusts

❖AD DS Trust Types: ❖AD DS Trust Types:
➢Shortcut trust: are used on Windows Server domains that reside in ➢Realm trust: allows to create a trust between a Windows Server
the same forest, where there is a need to optimize the authentication domain and a non-Windows (Linux, Unix, or MacOS Server) Kerberos
process. This may happen when a user on Domain A frequently realm.
needs to authenticate to Domain B. ➢They can be transitive or nontransitive and created as one-way or
➢They can be transitive and created as one-way or two-way trusts. two-way trusts.
Tree Root trust Tree Root trust
domain1.com domain1.com Realm trust UNIX
Shortcut trust domain2.com Shortcut trust domain2.com Kerberos
Parent-Child Parent-Child V5 Realm
trust trust

a.domain1.com b.domain1.com a.domain1.com b.domain1.com

c.domain2.com c.domain2.com

domain1.com FOREST 39 domain1.com FOREST 40

 Active Directory Trusts Active Directory Trusts
❖AD DS Trust Types: ❖AD DS Trust Types:
➢External trust: External trusts connect a Windows Server domain ➢Forest trust: Forest trusts create a trust relationship between two
in one forest to another Windows Server domain (Windows NT 4.0 Windows Server forests.
and non-Windows Kerberos realms) in a different forest. ➢They’re transitive and can be established as one-way or two-way
➢They’re nontransitive and created as one-way or two-way trusts. trusts.

Tree Root trust Tree Root trust Forest trust

domain1.com domain1.com
domain2.com domain3.net domain2.com domain3.net
Shortcut trust Shortcut trust
Parent-Child Parent-Child
trust trust

External trust External trust

a.domain1.com b.domain1.com a.domain1.com b.domain1.com
c.domain2.com a.domain3.net b.domain3.net c.domain2.com a.domain3.net b.domain3.net

domain1.com FOREST domain3.net FOREST 41 domain1.com FOREST domain3.net FOREST 42

Global Catalog
❖A single forest can contain an unlimited number of domains.
➢Each domain can contain an unlimited number of objects.

o Need the optimal way to locate objects quickly within different

domains.

5 Global Catalog

43 44/72
/50
 Global Catalog Global Catalog
❖Global Catalog (GC): ❖The GC allows users to quickly find
➢Allows users and applications to find objects in an Active Directory objects of interest without knowing what
domain tree, given one or more attributes of the target object. domain holds them and without requiring
a contiguous extended namespace in the
enterprise.
➢Holds a replica of every object in the directory (in naming context)
and a small number of their attributes.
o The attributes in the GC are those most frequently used in search
operations (such as a user's first and last names or login names)
and those required to locate a full replica of the object.
➢For example, when assigning permissions
on a resource, the interface you use will
➢Stored on at least one domain controller in the forest.
allow you to select users and groups
➢The default is the first Domain Controller created in the Forest. within other domains in the forest from a
➢Can config in other Domain Controller to load balancing. list that is provided by the GC.
45/72
/50 46

Global Catalog Global Catalog

❖For user account objects, the global catalog stores a unique name ❖The GC is updated when objects are added or removed within any
that users can use to log into their domain from any computer in the domain in the forest.
forest. ➢These updates must be replicated to all other domain controllers that
hold a copy of the GC.
➢User Principle Name (UPN): username@domainname.
o Preferred to as User logon name
o Unique in the forest.

➢Require when logging into a computer as a user account within

another domain in the forest.
o GC is contacted to verify the UPN and locate a domain controller
that can complete the authentication process.

47/72
/50 48/72
/50
 Global Catalog
❖In site environment, GC replication may congest the Internet bandwidth
in locations that have a slower Internet connection.
➢Enable Universal Group Membership Caching (UGMC) on sites to
hold a copy of the global catalog to provide fast authentication.

6
o Domain controllers must contact a remote global catalog the first
time each user authenticates to the domain in order to verify their Authentication Process
universal group memberships.

o These universal group memberships are then cached on the

domain controller, and subsequent authentication requests use
the universal group membership information for the user stored
in the cache, eliminating the need to contact a remote global
catalog.
49/72
/50 50

Authentication Protocols Authentication Protocols

❖NT LAN Manager (NTLM): ❖Kerberos Network Authentication Service (V5) protocol
➢Current version: 35.0 (4/29/2022) (Kerberos V5):
➢Current version: Version 5, Release 1.20 (26 May 2022)
➢Used for authentication between clients and servers.
o Authorization information: ➢Used for authentication between clients and servers in DC (default).
▪ Group memberships. o Authorization information:
▪ Interactive logon information. ▪ Group memberships
▪ Message integrity. ▪ Interactive logon information
▪ Message integrity
➢Replaced by Kerberos.
➢Support Single Sign-On

➢High security.

51/72
/50 52/72
/50
 Authentication Protocols Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket

❖Kerberos Network Authentication Service (V5) protocol

(Kerberos V5):
2. The credentials are
➢Replaces NTLM in AD. encrypted by the client
➢However, NTLM can be used when the Kerberos do not work. and sent to a domain
controller.
o One of the machines is not Kerberos-capable.
o The server is not joined to a domain.
o The Kerberos configuration is not set up correctly.
o The implementation chooses to directly use NLMP.

3. The encrypted credentials are matched against

the encrypted credentials on the domain controller.

1. The user enters credentials at a workstation to perform an interactive logon.

53/72
/50 54/72
/50

Authentication Process KDC: Key Distribution Center

TGT: Ticket-Granting Ticket Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket

5. The domain controller queries the

global catalog to identify the universal
groups to which the user belongs. 7. The client requests access
to a resource that resides on a
specific server.
6. The KDC issues the client a 4. The domain controller
ticket-granting ticket (TGT). creates a list of the
domain-based groups to
which the user belongs.

8. The client uses the TGT

to gain access to the ticket-
granting service (TGS), on
the domain controller.
55/72
/50 56/72
/50
 Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket
9. The TGS issues a service ticket (session ticket) for 10. The client presents the session ticket to the server
the server where the resource resides to the client. where the resource resides.

The session ticket contains the SIDs for the users The Local Security Authority (LSA) on the server uses
group memberships. the information in the session ticket to create an access
token.

57/72
/50 58/72
/50

Authentication Process KDC: Key Distribution Center

TGT: Ticket-Granting Ticket

11. The LSA compares the SIDs in the access token with the groups that are
assigned permissions in the resources discretionary access control list (DACL). If
they match, the user is granted access to the resource.

Flexible Single Master Operations

7 (FSMO) Role

59/72
/50 60
 Multi-master model FSMO Role
❖Active Directory is the central repository in which all objects in an ❖Need a conflict resolution algorithm.
enterprise and their respective attributes are stored. ➢Which changes were written last, which is the last writer wins.
➢It's a hierarchical, multi-master enabled database that can store ➢The changes in all other DCs are discarded.
millions of objects.
➢Changes to the database can be processed at any domain controller ➢However, there are times when conflicts are too difficult to resolve
(DC) in the enterprise. using the last writer wins approach.
➢In such cases, it's best to prevent the conflict from occurring rather
than to try to resolve it after the fact.
➢Possibility of conflicts that can potentially
lead to problems once the data is replicated
❖For certain types of changes, Windows
to the rest of the enterprise.
incorporates methods to prevent
conflicting Active Directory updates
from occurring.
61/72
/50 62/72
/50

Single-master model FSMO Roles

❖To prevent conflicting updates, the Active Directory performs updates to ❖Schema master
certain objects in a single-master fashion. ➢Manages the read-write copy of your Active Directory schema.
➢Only one DC in the entire directory is allowed to process updates. o The AD Schema defines all the attributes – things like employee
ID, phone number, email address, and login name – that you can
❖Active Directory includes multiple roles, and the ability to transfer roles apply to an object in your AD database.
to any DC in the enterprise.

❖Five (Flexible Single Master Operations) FSMO roles:

63/72
/50 64/72
/50
 FSMO Roles FSMO Roles
❖Schema master ❖Domain naming
➢Only one DC can process updates to the AD schema. ➢Manages the forest-wide domain name space of the directory.
o Once the Schema update is complete, it's replicated from the ➢Only one DC can add or remove domains and application
schema master to all other DCs in the directory. partitions from the directory.

➢There's only one schema ➢There's only one Domain

master per forest. naming per forest.
o Default: Primary DC (PDC) o Default: Primary DC (PDC)
of the Forest Root Domain. of the Forest Root Domain.

65/72
/50 66/72
/50

FSMO Roles FSMO Roles

❖Relative Identifier (RID) master ❖Primary Domain Controller (PDC) emulator
➢Allocating Relative Identifier (RID) pools to DCs in its domain. ➢Controls authentication within a domain.
o When a DC creates a security principal object (e.g., user or o Responds to authentication requests,
group), it attaches a unique SID to the object, consists of: changes passwords, manages Group
Policy Objects, account lockout.
▪ A domain SID that's the same
for all SIDs created in a domain. ➢Synchronize time in an enterprise.
▪ A RID that's unique for each
security principal SID created in ➢Backward compatibility.
a domain. o Performs all of the functionality that a Windows NT 4.0 Server-
based PDC or earlier PDC performs for Windows NT 4.0-based or
➢Moving objects from one domain to
earlier clients.
another within a forest.
➢There is one RID Master in each domain in an Active Directory forest ➢There is one in each domain in an Active Directory forest
67/72
/50 68/72
/50
 FSMO Roles FSMO Roles
❖Infrastructure master ❖Infrastructure master
➢Updates an object's SID and Distinguished Name (DN) in a cross-
domain object reference. ➢Review the Distinguished Name (DN):
➢When an object in one domain is referenced by another object in o Unique in the Forest.
another domain, it represents the reference by:
o The Globally Unique Identifiers o Includes enough information to locate a replica of the partition
(GUID). that holds the object.
o The SID (for references to security
principals). ▪ Is a sequence of relative distinguished names (RDN)
o The DN of the object being connected by commas.
referenced.
➢There is one in each domain in an
Active Directory forest.
69/72
/50 70/72
/50

FSMO Roles
THANK YOU FOR YOUR ATTENTION
❖Infrastructure master

➢Review the Distinguished Name (DN):

▪ An RDN is an attribute with an
associated value in the form
attribute=value.

▪ Ex: Nguyen Viet Ha, Ph.D.

- CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM Department of Telecommunications and Networks
Faculty of Electronics and Communications
- CN=Karen Berge,CN=admin,DC=corp,DC=Fabrikam,DC=COM The University of Science, Vietnam National University, Ho Chi Minh City
Email: [email protected]
71/72
/50